Indonesia's Privacy Law: Object to AI Decisions | TLY

AI Regulation Tracker  /  Legislation in force

Indonesia's PDP Law: human-review right for automated decisions, DPIA duty now in force

Indonesia's Personal Data Protection Law lets people demand human review of decisions made solely by automated systems and requires a data-protection impact assessment before high-risk processing. Credit scoring, insurance underwriting, and telco risk models are squarely in scope.

Indonesia's PDP Law: human-review right for automated decisions, DPIA duty now in force regulation briefing
The Leveraged Years AI Regulation Tracker

Indonesia's Personal Data Protection Law, Law No. 27 of 2022, is now doing what a statute on the books cannot do until its transition ends: imposing live duties on the firms that decide who gets a loan, a policy, or a phone contract. The law was enacted on October 17, 2022, and after a two-year grace period it became fully enforceable in October 2024. Two of its provisions matter most to any business that lets software make consequential calls about people.

The Article 10 right: a human in the loop

Article 10 gives data subjects the right to object to a decision that is based solely on automated processing, including profiling, where that decision produces a legal effect or a similarly significant effect on the person. In practice, the subject can object to the outcome, with the human-review mechanics deferred to the pending implementing regulation. This is Indonesia's analogue to Article 22 of the European Union's General Data Protection Regulation, and it lands directly on the automated systems that operational firms rely on: bank and fintech credit scoring, insurance underwriting, and telco risk models.

The reach is broad, but there is an honest limit to how far the right can be exercised today. The procedural mechanics of Article 10, meaning the timelines for responding to an objection and the exact steps for a subject to invoke the right, are expected to be set by the implementing Government Regulation. That regulation has not yet been signed. So the substantive right exists and the obligation to honor it exists, but the detailed rulebook for how it operates is still pending. Firms should treat the right as live and build a human-review capability rather than wait for the procedure to be published.

The Article 34 duty: assess before you deploy

Article 34 is not waiting on anything. It requires a controller to carry out a data-protection impact assessment, a DPIA, before undertaking high-risk processing. The law frames high-risk processing to include automated decision-making that produces legal or significant effect, large-scale systematic monitoring, and large-scale processing of sensitive or specific personal data. If a firm runs an automated model that decides credit, coverage, or risk exposure at scale, that is the category the DPIA duty was written for, and the assessment must be completed before deployment.

The practical signal that this duty already bites came through a separate instrument. PP No. 17 of 2025 hard-requires a DPIA before launching any product or feature that is accessible to children. That is a concrete, in-force trigger showing the DPIA obligation is operational, not theoretical. A DPIA under Article 34 is not a one-page checkbox. It should document the nature and purpose of the processing, the risks to data subjects, and the measures taken to reduce those risks, and it should be revisited when a model or its data changes materially. For a firm deploying automated credit or underwriting decisions, the assessment is the record that the risk was weighed before people were affected, and it is the first thing a supervisor would ask to see.

What it does not do

The law does not ban automated decision-making, and it does not require that every algorithmic decision be made by a human. Article 10 creates a right to object and to human review for a defined class of decisions, not a blanket prohibition. It also does not, on its own, supply the step-by-step procedure for exercising that right; that piece is deferred to the implementing regulation. Reading Article 10 as an outright ban, or assuming the objection process is fully specified today, would overstate the current position.

The cross-border angle for US firms

For a US reader, the important point is that Law No. 27 of 2022 reaches foreign controllers that target Indonesian data subjects. A credit-scoring or underwriting model built and run offshore does not escape the human-review right or the DPIA duty simply because the processing happens outside Indonesia. Any US bank, insurer, lender, or platform that makes automated decisions about people in Indonesia owes the same obligations as a domestic firm, and should treat the DPIA requirement as a present condition of doing business there.

The compliance posture is therefore split but clear. The Article 34 DPIA duty is in force now and should be met before any high-risk automated processing goes live. The Article 10 human-review right is also in force as a substantive entitlement, with only its procedure awaiting the implementing regulation. Firms that wait for that regulation before preparing will be building compliance under deadline pressure rather than ahead of it.

Frequently Asked Questions

What changed under Indonesia's Personal Data Protection Law?

Law No. 27 of 2022 became fully enforceable in October 2024. Article 10 gives people a right to object to decisions based solely on automated processing with legal or significant effect, with human-review mechanics deferred to the pending implementing regulation, and Article 34 requires a data-protection impact assessment before high-risk processing.

Who is affected by these provisions?

Any controller running automated decisioning or profiling with significant effect on Indonesian data subjects, including bank and fintech credit scoring, insurance underwriting, and telco risk models. It also reaches foreign controllers that target Indonesian subjects, so offshore models are not exempt.

Can I use automated decisions in Indonesia at all?

Yes. The law does not ban automated decision-making. It gives affected people a right to object and obtain human review for decisions with legal or significant effect, and it requires a DPIA before high-risk processing. You can run automated systems if you meet those conditions.

Is the Article 10 human-review right fully operational today?

The right itself is in force, but the procedural detail, including response timelines and how a subject formally exercises it, is expected to come from the still-unsigned implementing Government Regulation. The Article 34 DPIA duty, by contrast, is operative now.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.